Ubuntu
apport package

Apport refuses to generate core dumps inside containers

Bug #2112272 reported by sanad haj yahya
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Apport
Fix Released
High
Unassigned
Apport 2.33.0
apport (Ubuntu)
Fix Released
Critical
Simon Chopin

Bug Description

lsb_release -rd
Description: Ubuntu 22.04.5 LTS
Release: 22.04

apport:
  Installed: 2.20.11-0ubuntu82
  Candidate: 2.20.11-0ubuntu82.7
  Version table:
     2.20.11-0ubuntu82.7 500
        500 http://us-west-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
 *** 2.20.11-0ubuntu82 500
        500 http://us-west-1.ec2.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status

What happened:

Version 2.20.11-0ubuntu82.7 introduced a new function called consistency_checks that now refuses to generate core dumps and logging the message "executable was modified after program start, ignoring."

However, this check fails in container environments because the binary resides inside container-specific directories, not directly on the host OS.

"if not os.path.exists(os.readlink('exe', dir_fd=proc_pid_fd))"

As a result, core dumps from containers are being discarded. Prior to this update, core dumps were generated correctly.

What you expected to happen:

When a process inside the container crashes, the apport running on the host OS should forward the core dump via a UNIX socket instead of exiting because the binary is not present on the host OS.

Changes:

https://launchpadlibrarian.net/796123959/apport_2.20.11-0ubuntu82.6_2.20.11-0ubuntu82.7.diff.gz

+process_start = get_process_starttime()
+if not consistency_checks(options, process_start):
+ sys.exit(0)
+
 # Check if we received a valid global PID (kernel >= 3.12). If we do,
 # then compare it with the local PID. If they don't match, it's an
 # indication that the crash originated from another PID namespace.
@@ -540,21 +617,24 @@
 if options.global_pid is not None:

consistency_checks should be after checking if the crash originated from another PID namespace.

CVE References

Revision history for this message
sanad haj yahya (shaj13) wrote :

sudo cat /var/log/apport.log
ERROR: apport (pid 35423) Sun Jun 1 11:54:36 2025: executable was modified after program start, ignoring
ERROR: apport (pid 139024) Sun Jun 1 12:13:41 2025: executable was modified after program start, ignoring
ERROR: apport (pid 161415) Sun Jun 1 12:15:26 2025: executable was modified after program start, ignoring
ERROR: apport (pid 188105) Sun Jun 1 12:16:14 2025: executable was modified after program start, ignoring

Revision history for this message
Simon Chopin (schopin) wrote :

Tentative fix: https://github.com/canonical/apport/pull/528

Changed in apport (Ubuntu):
status: New → In Progress
assignee: nobody → Simon Chopin (schopin)
importance: Undecided → Critical
Revision history for this message
Benjamin Drung (bdrung) wrote :

Thank you for taking the time to report this bug and contributing to Ubuntu. This issue is a regression of the recent security update (bug #2107472).

Benjamin Drung (bdrung)
Changed in apport:
status: New → In Progress
Benjamin Drung (bdrung)
Changed in apport:
importance: Undecided → High
milestone: none → 2.33.0
Benjamin Drung (bdrung)
Changed in apport:
status: In Progress → Fix Committed
Revision history for this message
Benjamin Drung (bdrung) wrote :

Bug #2112464 might be fixed with this fix as well.

Benjamin Drung (bdrung)
Changed in apport:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.33.0-0ubuntu1

---------------
apport (2.33.0-0ubuntu1) questing; urgency=medium

  * New upstream release
    - SECURITY UPDATE: Report file insecure permissions (LP: #2106338)
      + Do not change report group to report owner's primary group.
      + CVE-2025-5467
    - SECURITY UPDATE: Race condition when forwarding core files to containers
      (LP: #2107472)
      + apport: move consistency_checks call further up
      + apport: do not override options.pid
      + apport: open /proc/<pid> as early as possible
      + fileutils: respect proc_pid_fd in get_core_path
      + apport: use opened /proc/<pid> everywhere
      + apport: do consistency check before forwarding crashes
      + apport: require --dump-mode to be specified
      + apport: determine report owner by dump_mode
      + apport: do not forward crash for dump_mode == 2
      + apport: support pidfd (%F) parameter from kernel
      + CVE-2025-5054
    - test: support coreutils rename to gnu-coreutils (LP: #2111595)
    - setuptools/java: use snakecase for option name (LP: #2111595)
    - apport: look for the exe within the proc root mount (LP: #2112272)
  * Depend on gnu-coreutils for integration/system tests
  * Depend on python3-pytest-cov in addition to python3-pytest
  * Drop patches applied upstream and refresh remaining patches
  * Address some Pyright complaints in ubuntu general hook

 -- Benjamin Drung <email address hidden> Fri, 06 Jun 2025 13:53:15 +0200

Changed in apport (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Octavio Galland (octagalland) wrote :

Hi Sanad, thanks for reporting this. The fix has been backported to jammy in version `2.20.11-0ubuntu82.8`. Could you confirm if this fixed the issue?

Thanks again!

Revision history for this message
Benjamin Drung (bdrung) wrote :

FTR this has been fixed in the stable releases:

* plucky-security: 2.32.0-0ubuntu5.2
* oracular-security: 2.30.0-0ubuntu4.4
* noble-security: 2.28.1-0ubuntu3.7
* jammy-security: 2.20.11-0ubuntu82.8
* focal-security: 2.20.11-0ubuntu27.29

Revision history for this message
sanad haj yahya (shaj13) wrote :

Hi Octavio,
Thanks for the quick turnaround. I’ve tested it and also ran our core generation tests via CI/CD — everything is working as expected now.

Much appreciated!

/sanad

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.